2017-11-08 - HANCITOR MALSPAM - SUBJECT: RE: IPHONE X PRE-ORDER

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-11-08-Hancitor-malspam-traffic.pcap.zip   808 kB (808,249 bytes)

• 2017-11-08-Hancitor-malspam-traffic.pcap   (1,024,590 bytes)

• Zip archive of the malware:  2017-11-08-Hancitor-malspam-and-artifacts.zip   217 kB (217,457 bytes)

• 2017-11-08-Hancitor-malspam-1648-UTC.eml   (1,190 bytes)
• 2017-11-08-Hancitor-malspam-1708-UTC.eml   (1,163 bytes)
• 2017-11-08-Hancitor-malspam-1735-UTC.eml   (1,153 bytes)
• 2017-11-08-Hancitor-malspam-1835-UTC.eml   (1,147 bytes)
• search.json.exe   (150,016 bytes)
• tracking_info_760613.doc   (186,368 bytes)

 

NOTES:

• On this Twitter thread, some security professionals discuss today's Hancitor malspam.
• See this Pastebin page for some domains and URLs not included in this blog post.

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time: Wednesday 2017-11-08 as early as 16:48 UTC through at least 17:35 UTC
• Subject:  RE: iPhone X pre-order
• From:  "SOUL Electronics USA" <order@soulelectronics.com>

• Received: from soulelectronics.com ([104.201.90.210])
• Received: from soulelectronics.com ([12.30.76.186])
• Received: from soulelectronics.com ([136.61.93.165])
• Received: from soulelectronics.com ([173.57.217.100])
• Received: from soulelectronics.com ([187.157.157.210])
• Received: from soulelectronics.com ([203.115.6.50])
• Received: from soulelectronics.com ([207.150.242.6])
• Received: from soulelectronics.com ([207.188.230.106])
• Received: from soulelectronics.com ([209.208.210.100])
• Received: from soulelectronics.com ([43.229.227.26])
• Received: from soulelectronics.com ([46.120.81.165])
• Received: from soulelectronics.com ([47.190.52.75])
• Received: from soulelectronics.com ([69.42.242.226])
• Received: from soulelectronics.com ([69.85.254.82])
• Received: from soulelectronics.com ([70.118.115.26])
• Received: from soulelectronics.com ([70.35.235.156])
• Received: from soulelectronics.com ([74.80.8.126])
• Received: from soulelectronics.com ([75.150.209.37])
• Received: from soulelectronics.com ([76.249.243.118])
• Received: from soulelectronics.com ([97.75.106.38])
• Received: from soulelectronics.com (107-1-172-100-ip-static.hfc.comcastbusiness.net [107.1.172.100])
• Received: from soulelectronics.com (216-241-61-98.static-ip.telepacific.net [216.241.61.98])
• Received: from soulelectronics.com (23-24-137-153-static.hfc.comcastbusiness.net [23.24.137.153])
• Received: from soulelectronics.com (50-242-52-169-static.hfc.comcastbusiness.net [50.242.52.169])
• Received: from soulelectronics.com (50-250-6-25-static.hfc.comcastbusiness.net [50.250.6.25])
• Received: from soulelectronics.com (50-250-94-177-static.hfc.comcastbusiness.net [50.250.94.177])
• Received: from soulelectronics.com (50-253-24-11-static.hfc.comcastbusiness.net [50.253.24.11])
• Received: from soulelectronics.com (64.50.123.147.ptr.us.xo.net [64.50.123.147])
• Received: from soulelectronics.com (65.23.16.178.nw.nuvox.net [65.23.16.178])
• Received: from soulelectronics.com (74-95-66-202-Minnesota.hfc.comcastbusiness.net [74.95.66.202])
• Received: from soulelectronics.com (75-138-226-161.dhcp.jcsn.tn.charter.com [75.138.226.161])
• Received: from soulelectronics.com (75-148-212-67-Houston.hfc.comcastbusiness.net [75.148.212.67])
• Received: from soulelectronics.com (96-38-75-90.static.jcsn.tn.charter.com [96.38.75.90])
• Received: from soulelectronics.com (96-88-142-22-static.hfc.comcastbusiness.net [96.88.142.22])
• Received: from soulelectronics.com (cmr-208-124-161-114.cr.net.cable.rogers.com [208.124.161.114])
• Received: from soulelectronics.com (cpe-static-negastroenterologyofhonesdale-rtr.cmts.haw.ptd.net [24.238.61.74])
• Received: from soulelectronics.com (email.howlandpump.com [69.193.107.42])
• Received: from soulelectronics.com (hlfxns0169w-142-176-102-132.pppoe-dynamic.high-speed.ns.bellaliant.net [142.176.102.132])
• Received: from soulelectronics.com (host-192-111-78-73.EPSOLT4.epbfi.com [192.111.78.73])
• Received: from soulelectronics.com (mail.allpointswasteservice.com [98.101.85.218])
• Received: from soulelectronics.com (mail.consigliandbrucato.com [98.118.62.186])
• Received: from soulelectronics.com (mail.knoxhousing.org [75.149.219.189])
• Received: from soulelectronics.com (mail.lehrmiddlebrooks.com [74.254.232.226])
• Received: from soulelectronics.com (mail.pba1873.com [99.124.239.57])
• Received: from soulelectronics.com (mail.thebellcenter.org [97.78.63.250])
• Received: from soulelectronics.com (rrcs-24-213-182-28.nyc.biz.rr.com [24.213.182.28])
• Received: from soulelectronics.com (rrcs-67-52-227-178.west.biz.rr.com [67.52.227.178])
• Received: from soulelectronics.com (rrcs-70-63-4-86.central.biz.rr.com [70.63.4.86])
• Received: from soulelectronics.com (static-68-236-120-88.bstnma.east.verizon.net [68.236.120.88])
• Received: from soulelectronics.com (static-71-175-81-126.phlapa.fios.verizon.net [71.175.81.126])
• Received: from soulelectronics.com (static-72-87-95-7.prvdri.fios.verizon.net [72.87.95.7])
• Received: from soulelectronics.com (static-98-118-52-168.bstnma.fios.verizon.net [98.118.52.168])
• Received: from soulelectronics.com (wsip-184-176-151-108.ph.ph.cox.net [184.176.151.108])
• Received: from soulelectronics.com (wsip-184-183-13-36.ph.ph.cox.net [184.183.13.36])
• Received: from soulelectronics.com (wsip-70-184-164-23.hr.hr.cox.net [70.184.164.23])
• Received: from soulelectronics.com (wsip-98-191-199-122.ok.ok.cox.net [98.191.199.122])

 

Shown above:  Clicking on a link from one of the emails.

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• hxxp://attorneylove.com
• hxxp://captainspeedy.com
• hxxp://johnsanna.com
• hxxp://mobileevolution.net
• hxxp://nominateattorneys.com
• hxxp://phonefix.guru
• hxxp://phonefix.repair
• hxxp://topattorneysofna.com
• hxxp://whoswhodirectories.com
• hxxp://wwdirectories.com

NETOWRK TRAFFIC FROM MY INFECTED LAB HOST:

• 45.76.92.24 port 80 - phonefix.guru - GET /
• port 80 - api.ipify.org - IP address check by the infected Windows host
• 185.187.90.38 port 80 - parhecotevent.com - POST /ls5/forum.php
• 185.187.90.38 port 80 - parhecotevent.com - POST /mlu/forum.php
• 185.187.90.38 port 80 - parhecotevent.com - POST /d2/about.php
• 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/1
• 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/2
• 27.254.142.193 port 80 - bamrungrak.ac.th - GET /wp-content/plugins/disable-comments/3
• 185.174.173.6 port 443 - henfobuthis.com - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - google.com - Connectivity check by Zeus Panda Banker
• port 80 - www.google.com - Connectivity check by Zeus Panda Banker
• port 443 - www.google.com - Connectivity check by Zeus Panda Banker

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  45ce33d3461844999b883db1b54a51a37ac85115f17aea24906be23362562235
  File name:  tracking_info_[six random digits].doc (for example: tracking_info_760613.doc)
  File size:  186,368 bytes
  File description:  Microsoft Word document with malicious macro for Hancitor

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  477ee5f96261a841dac846a4ad22520db4f9630edf3082f23846f70642d3bff3
  File location:  C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
  File size:  150,016 bytes
  File description:  Zeus Panda Banker

 

IMAGES

Shown above:  Zeus Panda Banker made persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-11-08-Hancitor-malspam-traffic.pcap.zip   808 kB (808,249
• Zip archive of the malware:  2017-11-08-Hancitor-malspam-and-artifacts.zip   217 kB (217,457 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.